Metasploit: Join the Arms Race

What's the biggest threat to your organization's network? Arguably, it's Metasploit, an easy to use hacking system that reduces the job of compromising of computers to a simple point and click exercise.

"Metasploit is a genius concept to standardize the development and use of exploits so anyone can use them," says Mati Aharoni, one of the experts behind BackTrack 2, a security oriented Linux distribution based on Slax. "It is a brilliant system, especially for penetration testers, and it has become the number one tool for every security and analysis person."

The problem is that Metasploit is freely available to hackers as well as security pros. It's a bit like an arms race then: if the baddies are armed with Metasploit, then you better make sure that you have it too. If not, you'll be the digital equivalent of outgunned.

One of the biggest innovations of the latest version of Metasploit, Framework 3, is the db_autopwn feature, a database driven process which scans your network and compromises as many machines as it can automatically using any of the current Metasploit exploits. This is certainly worth trying out on your network because if it succeeds it means you have security problems that anyone running Framework 3 will find without any hacking skills at all. (In fact, if you are going to do this to your own network read up on it first – some of db_autopwn's actions could crash your machines if they're vulnerable.) There are other powerful penetration testing programs that can "hack" a network automatically – notably Core Security's Core Impact – but none that are freely available like Metasploit.

For added flexibility, Metasploit also allows users to build their own bespoke attacks. A hacker may discover, using any number of methods (including scanning or asking staff members), that you have a machine on your network susceptible to one of the nearly 200 exploits currently included in Framework 3 –perhaps a buffer overflow error which allows an attacker to insert and execute arbitrary code. The next question is what arbitrary code – or payload - should the hacker insert? The particular overrun may offer just 800 bytes in which to insert code, but this is more than enough for just about all of the payloads supplied with Metasploit.

So once an attacker has found a vulnerability and selected a payload, and after supplying a few other parameters – such as the IP address of the machine to be attacked or his own machine, depending on the payload - he is ready to perform the exploit.

Or is he? What happens if the attacker has no obvious way of accessing the machine he wants to compromise directly? One answer is to use Metasploit's little known option X. Instead of performing an exploit immediately, Metasploit provides the option – option X – of turning the entire exploit, complete with payload and all the other parameters required, into a PE, or Portable Executable .exe file. So all a hacker needs to do is give the file some suitably innocuous name like update.exe, and email it to the victim computer. He'll need some social engineering skills to get the recipient to double click on it, and that, as they say, will be that: the machine will run the payload and be well and truly pwned.

Your users will doubtless have been trained never to click on .exe files they receive by email, and with any luck your email filters would stop them being delivered anyway. But it's a simple matter to change a file extension to foil an email filter, and if social engineering can be used to get someone to double click on a file it can certainly be used to get someone to rename a file as an executable.

So it's important to realize that, with the help of Metasploit, making this type of Trojan file is really not hard at all. If you are aware of this then at least you can think about the steps you need to take to prevent your users from falling victim to one.

If they do fall victim, what kind of payloads might be run on their system using Metasploit? When a machine is compromised by a Metasploit user, what are the implications?

Metasploit has payloads for a variety of OSes including Windows, Linux, OS X, BSD and Solaris. The most basic payload is a simple bind shell: an attacker's machine connects to the victim machine and gets a command prompt. There's also a reverse attack, causing the compromised machine to connect back to the attacker and spawn a command shell. With the command shell the hacker can do anything someone sitting at the machine could do, with the privileges of the current user.

But there are also more insidious payloads which cause an exploited machine to download an .exe file from a given URL and execute it, or which inject a VNC server onto a compromised machine and connect back to the attacker, providing him with a full color remote desktop experience on the compromised machine.

Perhaps the most flexible payload is the Meterpreter "uber-payload," a kind of extensible command shell which an attacker can use to get up to all kinds of mischief. With a Meterpreter shell in place an attacker can use upload and download commands to move files to and from the compromised computer from his own machine. The SAM Meterpreter extension (at the time of writing only available using the older Metasploit Framework 2) also enables a "gethashes" command to easily dump the password hashes from the exploited machine's SAM on to the attacker's machine for cracking.

It's pretty clear from this that Metasploit, in the wrong hands, could be used to do a great deal of damage to the machines under your care, so do yourself a favor and make sure the odds aren't stacked against you. Get yourself a copy (it runs on Linux or Windows, and even the tiny handheld Nokia N800 Linux device) and see what vulnerabilities it can exploit before someone else does. You can use this knowledge to put things right. Other Metasploit users exploring your network might not be so kind.